StayWell Health Management, LLC

StayWell Health Management, a business associate (BA) for multiple covered entities (CE), reported that, from March 29, 2012, until January 21, 2014, spreadsheets containing the protected health information (PHI) of 19,474 individuals who participated in wellness programs were unintentionally available online when an internal administrative tool generated reports and placed those reports in a public facing folder. The types of PHI on the spreadsheets included the participants’ names, email addresses, unique BA identification numbers, and information about participation in the program. The BA provided breach notification to HHS, affected individuals, and the media on behalf of the CEs affected by the breach: Regents of the University of Minnesota, Missouri Consolidated health Care Plan, Clorox Company Group Insurance Plan, Nissan North America, Inc., and QBE Holdings, Inc. Upon discovery of the breach, the BA upgraded its platform and revised and implemented its policies and procedures. OCR obtained assurances that the BA implemented the corrective actions listed above. Steps were also taken to restrict access to and to remove the data entirely from Google, Bing, Yahoo, and other search engines. Separate breach cases have been opened for each of the affected CEs.
Location of breached information: Network Server
Business associate present: Yes